web app security issues

Hi,

I am trying to implement web app security. I have a web-app called security running on my tomcat. I am able to implement authentication and authorization,but am not able to implement data confidentiality. The problem that I am running into are listed below:

1) Whenever I try to implement data confidentiality, I get a page cannot be displayed error. But when I comment out the <user-data-constraint> element in web.xml, it works ok. So I am unable to run a secured HTTPS over SSL request.

2) When I do not have <http-method> element, why does it allow access to my servlet...I guess it should not?

3) When I have only POST as the constaint method ie <http-method>POST</http-method>, then the first page that get loaded is the welcome file...the container does not ask for authentication. The welcome file (which in this case happens to be form.html), then does authentication on submit. But if we have <http-method>GET</http-method>, then container authenticates and does not load the welcome page, but loads it only after authentication....Can anybody tell me why this discrepency.

4) I generally type each user with their password and roles in tomcat-user.xml. How to configure this using database such as oracle or mysql. I am sure we do not type this info in tomcat-users.xml in real time app.

My web.xml file looks like this. Kindly tell me what aspect I am overlooking. Hoping for the response on all 4 aspects.

MY web.xml

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">

<welcome-file-list>
<welcome-file>form.html</welcome-file>
</welcome-file-list>

<servlet>
<servlet-name>Security</servlet-name>
<servlet-class>com.example.web.Secure</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>Security</servlet-name>
<url-pattern>/secure.do</url-pattern>
</servlet-mapping>

<security-role>
<role-name>tomcat</role-name>
<role-name>manager</role-name>
<role-name>admin</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurityCheck</web-resource-name>
<url-pattern>/*</url-pattern>

<http-method>GET</http-method>

</web-resource-collection>

<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>



</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
</web-app>
[ July 20, 2006: Message edited by: Bear Bibeault ]

With regard to point 4, you can configure Tomcat to use a JDBC realm, which is an implementation of Tomcat's 'Realm' interface. The default implementation that comes 'out of the box' will read user info from a flat text file (tomcat-users.xml), but a JDBC realm will read from a db of your choice.

Configure it in server.xml as follows:

userTable - the table containing the user info
userNameCol - the column name containing usernames
userCredCol - the coumn name containing passwords
roleNameCol - the column name containing the roles
userRoleTable - the table mapping users to roles

With regard to the other points, have you configured an SSL connector for Tomcat? Check out

http://tomcat.apache.org/tomcat-5.5-doc/connectors.html

and

http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JDBCRealm

A lot of good information on Tomcat realms and how to set them up is contained in the Tomcat documentation.